Board of Commissioners of Cook County 
Technology and Innovation Committee 

Wednesday, September 26,2018 10:45 AM Cook County Building, Board Room 

118 North Clark Street, Chicago, Illinois 

NOTICE AND AGENDA 

There will be a meeting of the Committee or Subcommittee of the Board of Commissioners of Cook 
County at the date, time and location listed above to consider the following: 

PUBLIC TESTIMONY 

Authorization as a public speaker shall only be granted to those individuals who have submitted in writing, 
their name, address, subject matter, and organization (if any) to the Secretary 24 hours in advance of the 
meeting. Duly authorized public speakers shall be called upon to deliver testimony at a time specified in 
the meeting agenda. Authorized public speakers who are not present during the specified time for public 
testimony will forfeit their allotted time to speak at the meeting. Public testimony must be genuane to a 
specific item(s) on the meeting agenda, and the testimony must not exceed three minutes; the Secretary 
will keep track of the time and advise when the time for public testimony has expired. Persons authorized 
to provide public testimony shall not use vulgar, abusive, or otherwise inappropriate language when 
addressing the Board; failure to act appropriately; failure to speak to an item that is germane to the 
meeting, or failure to adhere to the time requirements may result in expulsion from the meeting and/or 
disqualify the person from providing future testimony. 


18-6050 


COMMITTEE MINUTES 


Approval of the minutes from the meeting of 9/12/2018 


18-5634 

Sponsored by: TONI PRECKWINKLE (President) and JOHN A. FRITCHEY, Cook County Board 
of Commissioners 

PROPOSED ORDINANCE AMENDMENT 

PROPOSED ORDINANCE AMENDMENT AND ORDINANCE REGARDING 
INFORMATION TECHNOLOGY CONSOLIDATION 
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NOW, THEREFORE, BE IT ORDAINED, by the Cook County Board of Commissioners, that 
Chapter 2 ADMINISTRATION. Article XII - Cook County Information Technology Security, Division 1. 
- Cook County Information Technology Security, Sections 2-960, 2-963, 2-964 and reserved section 
numbers, of the Cook County Code is hereby amended as follows: 

ARTICLE XII. - COOK COUNTY INFORMATION TECHNOLOGY SECURITY 

DIVISION I - COOK COUNTY INFORMATION SECURITY 


Sec. 2-960. - Short title. 

This Article division shall be known and may be cited as the "Cook County Information Security 
Ordinance.” 

Sec. 2-961. - Purpose and policy. 

All separately elected County and State Officials, Departments, Office Institutions or Agencies 

funded by the Cook County Board of Commissioners, including, but not limited to, the offices and 
departments under the control of the County Board President, the Board of Commissioners, Cook County 
Health and Hospitals System, State's Attorney of Cook County, Cook County Sheriff, Cook County Public 
Defender, Illinois Clerk of the Circuit Court of Cook County, Cook County Treasurer, Cook County Clerk, 
Cook County Recorder of Deeds, Cook County Assessor, Chief Judge of the Circuit Court of Cook 

County, Board of Review , Cook County Public Defender , Cook County Independent Inspector General, 

Cook County Veteran's Assistance Commission and the Public Administrator (collectively, "Agency") 

shall take all appropriate precautions to protect the confidentiality, integrity, and availability of information 
Such precautions shall be in accordance with applicable Federal and State laws and regulations and take 
into consideration industry standards and best practices. 




Sec. 2-963. - Definitions. 

The following words, terms and phrases, when used in this Article division shall have the meanings 

ascribed to them in this Section, except where the context clearly indicates a different meaning: 

Guideline means a recommendation to assist an Agency employee or contractor in making 
appropriate decisions or performing a particular task, which allows for latitude in interpretation and 
implementation. 

Plan means a comprehensive document that details strategic direction, which may also provide 
additional details, such as Standards used and so forth. 
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Data Subject means an individual about whom information is collected or processed. 

Policy means a document that communicates leadership expectations to a business unit or 
department of an Agency, which may also be considered as mandatory business mles or organization 
specific directives and which are communication of management intent. 

Procedure means a document stating the manner in which a Policy shall be functionally 
implemented in an Agency's environment, which may define specific operation steps, manual methods, or 
instractions for compliance with a Policy. 

Standard means a document that contains a specification or describes minimum implementation 
that satisfies a Policy. 

Sec. 2-964. - Information security framework. 

(a) The Information Security Working Group shall assist the Chief Information Security Officer 

(CISO) in creating, and updating as necessary, comprehensive and written information security Plans, 

Policies, Procedures, Standards, and Guidelines for the Agencies (collectively, the "Information Security 
Framework") to reasonably protect the confidentiality, integrity, and availability of Agency information. 

(b) In creating and updating the Information Security Framework, the Chief Information Security 

Officer (CISO) shall seek the advice and recommendations of each Agency in order to ensure that the 

Information Security Framework addresses unique considerations of said Agency; all Agencies shall 

advise and collaborate with the Chief Information Security Officer (CISO) in the creation of the 
Information Security Framework. 

(c) The Information Security Framework shall: 

(1) Be in accordance with applicable Federal and State laws and regulations; 

(2) State all Agencies' minimum requirements and precautions to protect the confidentiality, 
integrity, and availability of Agencies' information; 

(3) Address the unique considerations of each Agency in a manner that does not unduly interfere 

with the operations of such Agency or any confidentiality or privilege required for such 

operations; and 

(4) Take into consideration industry standards and best practices by including critical and 
necessary components of any such similar framework, for example, risk management 
processes, information security incident response plans, and data breach notification plans. 

(5) Include an Acceptable Use Policy compliant with Section 2-965 of this Article division . 
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Secs. 2-969. - Privacy Policy. 

The Information Security Working Group shall assist the Chief Information Security Officer (CISO) in 
creating, and updating as necessary, a comprehensive privacy policy (“Privacy Policy”) for the Agencies. 
The Privacy Policy shall govern the County’s handling practices, collection, and use of personal data, as 
well as the specific rights of Data Subjects . 




Secs. 2-97069- 2-9792-999 . - Reserved 


NOW, THEREFORE, BE IT ORDAINED, by the Cook County Board of Commissioners, that 
Chapter 2 ADMINISTRATION. Article XII - Cook County Information Technology, Division 2. - Cook 
County Information Technology Consolidation, Sections 2-980 through 2-999. of the Cook County Code is 
hereby enacted as follows: 

DIVISION 2 - COOK COUNTY INFORMATION TECHNOLOGY CONSOLIDATION 


Section 2-980. - Short title. 


This diyision shall be known and may be cited as the "Cook County Information Technology 
Consolidation Ordinance.” 


Section 2-981. - Purpose and Policy 

All separately elected County and State Officials. Departments, or Agencies funded by the Cook 
County Board of Commissioners, including, but not limited to, the offices and departments under the 
control of the County Board President, the Board of Commissioners. Cook County Health and Hospitals 
System. State's Attorney of Cook County. Cook County Sheriff. Cook County Public Defender. Illinois 
Clerk of the Circuit Court of Cook County. Cook County Treasurer. Cook County Clerk. Cook County 
Recorder of Deeds, Cook County Assessor. Chief Judge of the Circuit Court of Cook County. Board of 
Reyiew. Cook County Independent Inspector General. Cook County Veteran's Assistance Commission 
and the Public Administrator (collectiyely. "Agency") shall, except as otherwise proyided in this Diyision. 
coordinate to deliyer information technology seryices in an efficient and cost-effectiye manner consistent 
with County. State and Federal law and industry standards. Agencies not established under the Board of 
Commissioners or Office of the County Board President may elect, but are not required to. abide by the 
proyisions of this Diyision. 
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Section 2-982. - Consolidation Studies 


fa) The CIO shall, in collaboration with participating Agencies, conduct a study into the viability of 
consolidating the following technology functions: 

fl) Active directory, including a consolidated identity and access management system; and 

(2) Data center. 

fb) The CIO shall issue a report to the Cook County Board President and Cook County Board of 
Commissioners. Technology Committee regarding the viability of consolidating the above-referenced 
functions no later than January 1. 2020. 

Section 2-983. - Powers and Duties of the Cook County Chief Information Officer 

fa) The CIO shall, in collaboration with participating Agencies, develop policies and standards 
relating to technology that may be adopted by participating Agencies, including the following areas: 

fl) Procurement standards: 

f2) Productivity tools, including service desk and data center monitoring software; 

f3) Software development; 

f4) Hardware and architecture; 

f5) Asset management: and 

f6) Any other category of technology, 

fb) The CIO shall establish a change management process to coordinate all changes to 
information technology services or infrastructure that impact Countvwide information technology 
operations. 

fc) The CIO shall create a multi-year. Countywide Technology Strategic Plan, which shall be 
presented to the President and the Cook County Board of Commissioners for receipt and file on an annual 
basis. 


fd) The CIO shall seek the advice and recommendations of each participating Agency to ensure 
that any shared service or policy adopted by the CIO addresses the unique considerations and legal 
mandates governing each participating Agency and does not unduly interfere with the operations of such 
participating Agency. 

Section 2-984. - Powers and Duties of Participating Agencies 

fa) Chargebacks. Each participating Agency is responsible for its share of the cost of shared 


Page 5 o f 7 










Technology and Innovation 
Committee 


NOTICE AND AGENDA 


September 26, 2018 


information technology products or services. The CIO shall determine the chargeback amount for shared 
products or services prior to delivery. The CIO shall ensure that the chargebacks are transparent and that 
the chargeback amount does not exceed the actual cost to the County of the information technology 
product or service. 

Section 2-985. - Consolidated Service Desk 


fa) The County shall establish a Countvwide Service Desk (“County Service Desk”) managed by 

the CIO. 


fb) The County Service Desk shall provide Tier 1 support to the Offices under the President and, 
by agreement, any participating Agency. 

fl) Tier 1 support is a basic leyel of support, with customer representatiyes who possess a broad 
understanding of County IT enyironments. 

(2) Except as by agreement between BOT and participating Agencies, participating Agencies 
shall remain responsible for Tier 2 support. 

fc) The CIO shall implement a County Seryice Desk seryice catalogue and service leyels 
consistent with industry standards. 

fd) The CIO and any participating Agency shall agree upon a project schedule to transfer Tier 1 
support to the County Seryice Desk, and if applicable. Agency-specific seryice leyel agreements. 

fe) The CIO shall implement all legally-mandated controls related to personal health information, 
criminal justice information, or any other sensitiye data type prior to assuming Tier 1 support for any 
function that that may require access to such data. 

ff) The CIO shall proyide a monthly report on County Seryice Desk metrics, including seryice 
leyel reports, to the participating Agencies. The CIO shall deliyer the first County Seryice Desk report 
within 60 days of the establishment of the County Seryice Desk, 

Sec. 2-986. Adoption and Compliance. 

The adoption of any shared seryice or policy as set forth in this diyision shall not affect any rights 
and responsibilities arising under any law, including the Illinois Constitution, the Illinois Counties Code or 
the Code of Ordinances of Cook County. Illinois. 

Secs. 2-987-2-999. - Reserved 


Effective date: This ordinance shall be in effect immediately upon adoption 
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Legislative History : 9/12/18 - Board of Commissioners - refer to the Technology and Innovation Comm 

18-5657 

Presented by: F. THOMAS LYNCH, Chief Information Officer, Bureau of Technology 

REPORT 

Department: Bureau of Technology 

Report Title: Information Security Framework Semi-Annual Report 
Report Period: 2/1/2018 - 7/31/2018 

Summary: Pursuant to Resolution 17-2732, the Chief Information Security Officer shall update the 

Board of Commissioners via the Technology Committee on the state of the information security in Cook 
County government. The Information Security Framework Semi-Annual Report will provide the status ol 
all Agencies’ adoption and compliance of the Information Security Framework. Included in the report is a 
summary of all advice and recommendations of each Agency regarding their unique considerations. 
Additionally, updates will be provided regarding current security controls and the Vulnerability Threat 
Management Program. 

A closed meeting is requested, pursuant to an exception to the Open Meetings Act, 5 ILCS 120/2 (c) (8): 
“Security procedures, school building safety and security, and the use of the personnel and equipment to 
respond to an actual, a threatened, or a reasonably potential danger to the safety of employees, students, 
staff, the public, or public property.” Given the confidential nature of the Report, a closed meeting is 
necessary to maintain the safety and security of Cook County residents and stakeholders. 

Legislative History : 9/12/18 - Board of Commissioners - refer to the Technology and Innovation Comm 


Secretary 

Chainnan: Fritchey 

Vice-Chairman: Morrison 

Members: Butler, Daley, Deer, Garcia, Goslin, Schneider, Silvestri 
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